httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Cicimov <icici...@gmail.com>
Subject Re: [users@httpd] [RHEL6.2] SSL handshake failure
Date Sun, 18 Mar 2012 21:50:43 GMT
"[Mon Mar 19 06:51:12 2012] [info] SSL Library Error: 336109761
error:1408A0C1:SSL routines:SSL3_GET_CLIENT_ HELLO:no shared cipher Too
restrictive SSLCipherSuite or using DSA server certificate?"

Check the SSLCipherSuite directive in your SSL host as the error says it
might be too restrictive. Try adding more options.
 On Mar 19, 2012 2:00 AM, "Aubrey Li" <aubreylee@gmail.com> wrote:

> Here is what I got when I put the loglevel to debug in httpd.conf
> ===============================================================
> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_kernel.c(1866): OpenSSL:
> Handshake: start
> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_kernel.c(1874): OpenSSL:
> Loop: before/accept initialization
> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_io.c(1897): OpenSSL:
> read 11/11 bytes from BIO#7fa4600011a0 [mem: 7fa460006ac0] (BIO dump
> follows)
> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_io.c(1830):
> +-------------------------------------------------------------------------+
> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_io.c(1869): | 0000: 16
> 03 00 00 2d 01 00 00-29 03                    ....-...).       |
> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_io.c(1873): | 0011 -
> <SPACES/NULS>
> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_io.c(1875):
> +-------------------------------------------------------------------------+
> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_io.c(1897): OpenSSL:
> read 39/39 bytes from BIO#7fa4600011a0 [mem: 7fa460006acb] (BIO dump
> follows)
> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_io.c(1830):
> +-------------------------------------------------------------------------+
> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_io.c(1869): | 0000: 4f
> 66 66 ec 02 5d 92 3d-4d db ee c7 10 f5 d5 43  Off..].=M......C |
> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_io.c(1869): | 0010: 3e
> 16 87 86 7b c9 a0 88-db 60 5a c8 f1 46 10 8f  >...{....`Z..F.. |
> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_io.c(1869): | 0020: 00
> 00 02 00 04 01                                ......           |
> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_io.c(1873): | 0039 -
> <SPACES/NULS>
> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_io.c(1875):
> +-------------------------------------------------------------------------+
> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_kernel.c(1884): OpenSSL:
> Write: SSLv3 read client hello C
> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_kernel.c(1903): OpenSSL:
> Exit: error in SSLv3 read client hello C
> [Mon Mar 19 06:51:12 2012] [debug] ssl_engine_kernel.c(1903): OpenSSL:
> Exit: error in SSLv3 read client hello C
> [Mon Mar 19 06:51:12 2012] [info] [client 10.2.1.2] SSL library error
> 1 in handshake (server www.example.com:443)
> [Mon Mar 19 06:51:12 2012] [info] SSL Library Error: 336109761
> error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher Too
> restrictive SSLCipherSuite or using DSA server certificate?
> [Mon Mar 19 06:51:12 2012] [info] [client 10.2.1.2] Connection closed
> to child 2 with abortive shutdown (server www.example.com:443)
> ==================================================================
> quite strange, openssl s_client command can pass the SSL handshake while
> this java application cannot.
>
> openssl version is 0.9.8u
>
> Welcome any inputs!
>
> Thanks,
> -Aubrey
>
>
> On Fri, Mar 16, 2012 at 1:50 AM, Mark Montague <mark@catseye.org> wrote:
> > On March 15, 2012 13:31 , Aubrey Li <aubreylee@gmail.com> wrote:
> >>
> >> Thanks for your reply. here is the output of httpd -V. [...]
> >>
> >>
> >>  -D HTTPD_ROOT="/export/bench/benchmarks/apache2"
> >>  -D SUEXEC_BIN="/export/bench/benchmarks/apache2/bin/suexec"
> >>  -D DEFAULT_PIDLOG="logs/httpd.pid"
> >>  -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
> >>  -D DEFAULT_ERRORLOG="logs/error_log"
> >>  -D AP_TYPES_CONFIG_FILE="conf/mime.types"
> >>  -D SERVER_CONFIG_FILE="conf/httpd.conf"
> >>
> >>>> I built httpd-2.2.22 on a RHEL6.2 system with SSL enabled. Then I
> made a
> >>>> client
> >>>> to create a connection to httpd but received a handshake failure
> report.
> >>>>
> >>>> [...]
> >>>>
> >>>> When I connect the client to the server(RHEL6.2), there is no
> >>>> access_log, no err_log,
> >>>> nothing added in /var/log/messages, it's very weird.
> >
> >
> > So you are saying that you have a file at
> > /export/bench/benchmarks/apache2/conf/httpd.conf that contains all of the
> > correct directives to configure SSL, logging, and appropriate virtual
> hosts?
> >
> > And you are saying that no logs are appearing at
> > /export/bench/benchmarks/apache2/logs/error_log nor at the location that
> you
> > specify in your ErrorLog directive in
> > /export/bench/benchmarks/apache2/conf/httpd.conf ?
> >
> > In this case, what user are you starting httpd as?  What are the values
> for
> > the User and Group directives in
> > /export/bench/benchmarks/apache2/conf/httpd.conf ? Do that user and group
> > have write access to the place you are telling this version of httpd to
> > write its error logs?
> >
> > Is this system running any Mandatory Access Control system such as
> SELinux,
> > AppArmor, Tomoyo, or grsecurity that could be interferring with what this
> > version of httpd is trying to do or where it is trying to do it?   If so,
> > then check the log files for the Mandatory Access Control system that you
> > are running to find out what the problem is.
> >
> > Hopefully other people on this list will have additional, and better,
> > suggestions of things to check.
> >
> > --
> >  Mark Montague
> >  mark@catseye.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message